Who Actually Owns Article 35: Are You Proving Compliance to the Regulator, or Chasing Your Own Shadow?
Pressure is part of the compliance landscape. But with the EU AI Act’s Article 35, confusion moves faster than clarity. Many teams are scrambling to “demonstrate” that their high-risk AI systems are linked to a notified body-only to find there is no legitimate list available. That’s not an accident. The only authority that can appoint or recognise a notified body is the European Commission itself, via official publication. If you’re chasing PDFs, consultant lists, or vendor promises, you’re not building compliance-you’re gambling with your organisation’s future.
When the regulator checks your audit, you won't be judged by frantic paperwork or guesswork-you'll be measured against the facts.
The real job is brutally simple: show living evidence that every relevant AI system in scope is traceably tied to an official notified body-no fiction, no provisional bets. If the Commission hasn’t updated the NANDO database, you simply log a placeholder and prove you’re prepared to adapt on a dime. If the regulator’s list updates overnight, your system needs to snap in, with every reference, log, and certificate ready to reference the legitimate source-nothing else counts.
Waiting for official lists isn’t an excuse for inaction. Compliance now means adaptable, “never static” documentation-a structure that absorbs change without collapse. The moment the real list drops, only direct, traceable proof will matter. Anything less risks a finding of nonconformity or escalates into a wider investigation. There’s no shortcut past this truth.
Where Are the “Real” Notified Body Lists? Cutting Through the Noise
Look around: industry forums, webinars, and even respected vendors are sharing informal “notified body” tables or PDFs. They’re all noise until proven legal. The reality is binary-only two sources have official standing:
- European Commission Publications: The Commission alone decides who is a notified body, publishing lists and changes via its formal channels.
- NANDO Portal (Q3–Q4 2024 expected update): The New Approach Notified and Designated Organisations database is the only recognised registry. Until it’s updated for AI, every other list is provisional or speculative.
There is currently no official list-this status is confirmed by the European Commission as of May 2024. (nando.cenelec.eu)
This means any audit “evidence” linked to unofficial or outdated lists will be rejected immediately-and may expose your organisation to further regulatory action. Auditors don’t check PDFs or vendor summaries; they audit against the currently published, regulator-maintained source.
Your strategy must resist every shortcut. The moment the NANDO AI list is published, all evidence must update overnight. Building compliance around anything less is wasted time and unnecessary risk.
Everything you need for ISO 42001
Structured content, mapped risks and built-in workflows to help you govern AI responsibly and with confidence.
What Does Article 35 Compliance Evidence Actually Look Like in 2024?
Most organisations imagine compliance as a stack of signed PDFs or a package from a consultant. Article 35, and modern regulators, are asking for something radically different: dynamic, always-current evidence-documentation that adapts as the regulatory environment changes, not weeks later.
Elements of Robust, Audit-Ready Article 35 Documentation
Dynamic Evidence Chains: Each high-risk AI system needs a living record, mapped to its assessment type, with notified body fields left open but ready to be populated the moment the NANDO list publishes. This ensures a seamless, transparent handover from preparation to official registration.
Centralised, Versioned Records: Shared drives and static PDFs belong to the last decade. Modern compliance platforms, such as ISMS.online, manage permissions, automate change tracking, and enable instant patching when authorities publish a new body or rule.
APIs and Integration: When your compliance framework connects directly to regulatory databases and updates (NANDO, ISO 42001 crosswalks, etc.), you gain certainty-no manual scans or last-minute email chains. You’re “audit-native” by design.
Maintain up-to-date records of assessment results and certificates issued by notified bodies… Documented compliance artefacts must be readily available and current for authorities or auditors. (iso.org/standard/81228.html)
The only sustainable system is built for speed: every record, every piece of evidence, must be ready to pivot the moment the regulator acts. That’s the agility the law demands.
How Does ISO/IEC 42001:2023 Transform Article 35 Confidence?
Regulatory evidence is digital, not desk-bound. The legal requirement of Article 35 is a binary: show that each system is properly mapped and linked to the designated notified body-or fail.
ISO/IEC 42001 isn’t just an “add-on.” It’s the engine that keeps you audit-ready:
ISO 42001 as a Living Compliance Multiplier
Clause-by-Clause Traceability: ISO 42001 details every control-from defining context to updating contact lists. This means you can trace every assignment, every notified body linkage, and every assessment without gaps or stale records.
Longitudinal Audit Trails: Regulators (and your own risk teams) expect time-stamped, user-identified logs for every step: risk assessment, control allocation, regulator notifications, and audit responses. Not just “what,” but “when” and “by whom.”
Update-First, Not PDF-First: The improvement cycle is built in; records must adapt immediately to any regulatory change. If the NANDO list updates, your evidence refreshes overnight-with ISMS.online-style automation, this is no longer a manual scramble.
ISO 42001’s lifecycle approach ensures every control-context mapping, risk management, documentation, audit records-is in place. Records must be tightly linked to notified bodies and identification numbers. (iso.org/standard/81228.html; njordium.com/2025/06/12)
Modern compliance means being ready not just for the audit today-but for every change tomorrow.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Mapping ISO 42001 Clauses to Article 35 Proof Requirements
The regulatory focus is sharper than many realise. Not every ISO 42001 clause draws the same scrutiny when proving Article 35 compliance. Auditors and regulators focus on the controls that explicitly tie your evidence to the notified body landscape.
System and Context Definition (Clause 4)
Before aiming for conformity, document clear, digital boundaries for every AI system-defining scope, data sources, stakeholders, and intended use. This log becomes crucial when you must show linkage to an appointed notified body.
- *In Practice*: Store initialization records digitally, enable instant context refresh, and maintain alignment with forthcoming NANDO entries. This is your line of sight for every update or change of notified body status.
Risk Management (Clause 8)
Risk registers must be dynamic. For every identified risk, linked mitigation, and notified body reference, the trail needs to be time-stamped and attributable. This minimises audit friction and demonstrates regulatory maturity.
- *In Practice*: Digital risk registers not only track who made each entry, but tie every control or mitigation action to the real-time status of notified bodies-never lagging behind the official NANDO database.
Continual Improvement (Clause 10)
Modern compliance is an ongoing process, not a certificate. Every evidence chain should show not only creation, but periodic review, correction, and update activity-driven by regulatory changes and NANDO updates.
- *In Practice*: Use digital audit trails illustrating “who did what, when, and why”-this doesn’t just meet the letter of Article 35, it places your organisation in the regulator’s trust zone.
Data Governance and Evidence Accessibility
High-risk AI involves sensitive data-and regulators want robust, transparent chains of custody. Your records must prove every data movement is tightly linked to the responsible notified body, verified and exportable on demand.
- *In Practice*: Use access-controlled, auditable platforms (like ISMS.online) to track, log, and re-link every record to the current notified body, securing both data and compliance in one workflow.
How to Build Living, Audit-Proof Evidence with ISO 42001
The pathway to bulletproof Article 35 compliance is grounded in agility and automation-not old-school “set-and-forget.” Here’s the real workflow top teams follow:
1. Establish System Boundaries and Ownership
Map every AI system with clear context, data flow, and ownership trails. Assign accountability now, before the official notified body is even appointed. Use digital platforms that track owners, reviewers, and change-makers for every record.
2. Justify All Decisions with Regulatory Rationale
Document why each data movement, decision, or process choice exists. Show reviewer notes, lawfulness checks, and governance alternatives. Living logs, not stale screenshots, win audits.
3. DPIAs and Bias Logs with Notified Body Traceability
Risk, privacy, and ethics assessments are meaningless if static. Each log must be designed so that when a notified body is added or swapped on the NANDO list, your record updates live-no gaps, no ambiguity.
4. Dynamic, Centrally Managed Evidence Stores
Adopt cloud platforms-like ISMS.online-that centralise all compliance evidence (audit logs, risk registers, policies) for instant update when regulations or notified body lists change. Manual, fragmented workflows are a liability.
Centralised, dynamically updating evidence is resilient in the face of any regulatory change-eliminating scramble and allowing you to control your own compliance fate.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
How High-Trust Teams Stay Audit-Native Amid Notified Body List Changes
Trust is built on readiness, not on “hope for the best.” Organisations that lead on audit outcomes don’t hand compliance to chance or paper documents-they build real-time infrastructure for change.
Habits of High-Trust, Responsive Compliance
Automated List Integration: Connect every compliance evidence chain to regulatory APIs or trusted feeds. When NANDO updates, your artefacts, IDs, and references update too-no manual intervention.
Clear Evidence Ownership: Each record, risk, and approval needs a named owner. This enables rapid response, updates under pressure, and failsafe audit readiness. Ownership isn’t a burden; it’s a competitive advantage.
Instant Evidence Export: Boards, regulators, buyers, and auditors all expect instant demonstration of your compliance position-linking every claim to the current notified body record. Never be caught hunting for documents or scrambling for updates.
Active AIMS platforms automate crucial updates as new bodies appear or records change-offering instant traceability, clear control ownership, and exportable compliance artefacts. (controlcase.com; iso.org/standard/81228.html)
In today’s world, audit winner’s circle organisations prove living compliance-dynamic, always current, inherently trustworthy.
Dynamic Compliance Wins Buyers, Boards, and Markets
The value of living, adaptive compliance architectures extends far past audit checklists. As regulatory scrutiny sharpens, so too does the focus from buyers, boards, and partners on your nimbleness and reliability.
Evidence-First Governance Builds Boardroom and Market Power
Board Confidence: When control records, system register entries, and regulated evidence can be exported at a moment’s notice, you demonstrate not just compliance but trustworthiness and competitive edge.
C-Suite Leadership: Adaptive compliance signals to investors and senior stakeholders that your organisation doesn’t just react-it preempts, adapts, and leads. That’s what future-ready markets demand.
Procurement Preference: The buying community quietly removes risk at every step. Teams that prove real-time compliance integration-especially around rapidly changing requirements or notified body lists-are preferred. “Responsive” brands close deals, reduce bid challenge, and avoid last-minute blockers.
Being ready for every regulatory or body-list pivot isn’t just about checking the box. It’s the new standard for compliance leadership.
Go Beyond Tick-Box Compliance: ISMS.online Delivers Living Article 35 and Notified Body Assurance
Teams that still treat compliance as paperwork ensure tomorrow’s nonconformity headlines. Modern compliance is real time, automated, and fully mapped-across every risk, every authority, every system.
ISMS.online gives you:
- Live linking between systems, risk logs, audit trails, and notified body status-every change surfaces instantly and every artefact is prepared for evidence.
- Customizable ISO 42001 frameworks to cross-link controls, risks, data protection, and notified body records, so regulatory changes don’t cause panic.
- Board-to-operations visibility, keeping every stakeholder-exec, owner, auditor, or regulator-fully informed, instantly.
Organisations deploying AIMS see faster audits, stronger trust, and a lasting procurement edge. (njordium.com/2025/06/12/navigating-security-and-privacy-challenges-in-the-eu-ai-act-the-role-of-iso-iec-42001/)
Don’t let the next regulatory update catch you off guard. Operating with living compliance is not only possible-it’s the competitive edge buyers, partners, and auditors now expect.
Experience Adaptive Article 35 Compliance: Connect With ISMS.online
Real compliance mastery isn’t a stack of paperwork or a frantic search for the latest NANDO snapshot. It’s your organisation’s ability to update proof, connect every AI system to the correct notified body, and export audit-ready evidence-on demand.
With ISMS.online, your journey to living, always-current Article 35 compliance is not only secure, but smooth. Abandon guesswork, automate adaptation, and step into measurable, audit-native confidence-exactly when it matters.
See how ISMS.online can make living Article 35 compliance your strategic advantage-now and through every change tomorrow brings.
Frequently Asked Questions
How does the EU AI Act assign and validate notified body numbers, and what must your compliance workflow do differently in 2024?
The European Commission is the only authority that designates and numbers notified bodies under the AI Act, officially publishing every new entry in the live NANDO registry. You cannot download a static list or rely on consultant emails-today’s “certified” badge holds zero regulatory value if it lacks a direct, traceable NANDO reference. As of June 2024, no high-risk AI provider has an official assigned number in NANDO, making “pending” the only honest entry for body ID in system records. Every audit-proof compliance workflow should be engineered for instant connection: mapping each AI asset, certificate, and risk record to a future NANDO ID the minute it appears. A static table or spreadsheet shortcut will turn toxic the moment an auditor or trading partner spots a mismatch or expired body number.
A real compliance system is wired to the regulator-not to a consultant’s idea of what looks credible.
NANDO-First Compliance: Practical Steps
- Don’t trust vendor PDFs or shared tables-validate every notified body in the live NANDO system (https://nando.cenelec.eu/) before using an ID.
- Programme compliance logs so “pending” is stamped wherever the Commission has yet to publish an AI body.
- Insert live NANDO links in every audit record, certificate, or technical dossier-screenshots expire, hyperlinks don’t.
- Review your process for traces of legacy or “ghost” IDs; if any system asset points to an unofficial source, correct it immediately.
- Automate notifications: when NANDO updates, your main records and audit exports must refresh within hours, not days.
A workflow that’s slow to adapt or waffles between “advisory” and “official” designations guarantees embarrassment or, worse, regulatory penalty. ISMS.online is built for automatic tracking, so your audit trail never goes cold when the Commission moves.
What does Article 35 demand for AI system documentation, and how can you future-proof your audit evidence?
Article 35 insists on a living, exportable evidence chain-every AI instance mapped with a “paper trail” that links design, risk assessment, and the technical file directly to a valid notified body. This isn’t a dead PDF or entrenched spreadsheet; it’s a real-time, updatable process. Each system’s compliance record should be “audit-ready” at all times, with provisional (“pending”) markers on any entry awaiting NANDO assignment. A lost or incoherent audit trail stalls certification, freezes procurement, or destroys credibility with clients and regulators.
If you can’t patch a new body number into every asset trail within hours, your audit readiness is a mirage.
Engineering Living Audit Evidence
- Assign dynamic scope and technical records to each system, always ready to link or update with an official notified body number and NANDO status.
- Map conformity certificates, risk logs, and chain-of-custody summaries to the official register-no lag between regulatory change and audit record.
- Each log should explain not just the technical rationale (“why this algorithm, why this data”), but the living status of every third-party reference, including pending or mapped body ID.
- Use versioning and automated stakeholder assignment throughout; no update should be lost in manual change logs or shared drives.
With ISMS.online, you build dynamic, auto-updating audit trails-every record reflects current status, triggers notifications on change, and exports evidence packs on demand. Clients, regulators, or investors get instant proof that no shortcut or patchwork will ever surface.
Why does ISO/IEC 42001 make your compliance instantly traceable-even before NANDO lists go live?
ISO/IEC 42001 provides the backbone-its technical controls, risk registers, and ownership allocation protocols are designed for dynamic mapping the instant any regulatory field changes. While you can’t “ISO-certify” Article 35 compliance in a vacuum, a properly deployed 42001 management system builds traceability and ownership into every log, action, and asset. That means when the EU posts a new notified body number, your audit and procurement trails already have a field wired for instant, regulator-verified linkage-no risky manual patching required.
Audit resilience is designed at the system level-you shouldn’t bolt on compliance after the fact.
ISO/IEC 42001 Clauses that Anchor This Advantage
- Clause 4 centres on context and asset boundaries-foundational for segmenting your AI estate and mapping future regulatory changes.
- Clause 8 codifies lifecycle registers-each action, risk, and approval event is versioned and cross-referenced.
- Clause 10 bakes in continual improvement-every modification, role change, or file update is logged, time-stamped, and ready for export.
- Data governance provisions bind chain-of-custody, access, and technical rationale directly to the updateable asset map.
A compliance system built on 42001 isn’t just “audit ready”-it’s “audit proof,” flexing instantly to every new Commission update or regulatory anomaly. ISMS.online was engineered to activate this advantage from day one, not after the first failed review.
How can your organisation guarantee audit resilience as notified body lists and compliance rules evolve in real time?
Audit resilience isn’t about working overtime before a deadline; it’s the direct result of automated, system-wide linkage between assets, risks, documentation, and regulatory authorities. Every smart compliance team ensures their evidence and reporting export the current NANDO list, not last week’s version or a “pending” placeholder lost in the shuffle. Role assignments, approval chains, and log versioning must all rate as transparent and instantly exportable. Automation isn’t a luxury-it’s table stakes for defending both company reputation and legal position.
Risks of Static or Lagging Compliance
- Evidence trails that reference non-current NANDO info trigger instant audit failure or regulator fines.
- Out-of-date conformity certificates can freeze product launch or procurement, costing millions.
- Rebuilding audit logs after the fact shreds trust-no leadership team recovers from major embarrassment twice.
Compliance that lives in spreadsheets dies in audits. Let your system prove your readiness, not your last-minute scramble.
ISMS.online’s design secures all links in the compliance chain, auto-refreshes with every regulatory status change, and delivers exportable assurance built to withstand the sharpest auditor’s probe.
Which myths about Article 35, notified bodies, and ISO/IEC 42001 pose the highest risk to audit success?
The most damaging myth: “ISO 42001 certification gets you an AI Act pass.” Not so-compliance is only real the moment your evidence wire-maps every asset, certificate, and register to a NANDO-issued body, with real-time exports to show it. Any vendor or adviser claiming “end-to-end compliance” without a pathway to live notified body mapping is making your audit risk someone else’s liability.
- Responsible leadership requires “readiness status” stamped on all internal logs, never faked or inferred from third-party summaries.
- Beware proprietary or “consultant-issued” ID lists-these are instant red flags for auditors, procurement, and multinational partners.
- Certifications and SIEM dashboards are not evidence unless they include built-in triggers for immediate status injection from the regulator.
Recognising Real vs. Cosmetic Compliance
- “Our system logs are programmed for live NANDO linkage; every asset status is pending, not assumed.”
- “We trust only published Commission sources; no substitute documentation stands in an external or internal audit.”
- “Every certificate, export, and conformance claim is flagged and mapped the moment a notified body number updates.”
Ethical compliance means your real work is invisible to the outside-until it needs to defend your business in an audit or inquiry.
What turns cosmetic compliance into operational leadership under Article 35-and how do you build that reputation?
Real compliance is visible at every stakeholder level: the board sees asset linkages; auditors follow the fast chain-of-custody updates; regular users and clients know every technical document can be mapped to the current Commission baseline in minutes. ISMS.online equips you to:
- Map every system, certificate, and asset to the right NANDO field as soon as regulators assign the numbers.
- Push automatic policy and template updates, so zero manual intervention is ever needed when legal context changes.
- Export assurance packs at a moment’s notice that reflect the real, live status-no static PDFs or “frozen” policy guides.
- Build operational resilience into every compliance routine-so your next audit is just another, ordinary business day.
Regulators don’t care about effort-they care about proof. Be the leader with living, exportable records ready for inquiry in real time.
Ready to step beyond minimal compliance and anchor your organisation at the front of Article 35 audit-proof leadership? Explore ISMS.online’s living compliance platform-where assurance is built into your muscle memory, reputation, and every audit at once.
